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SFCTIRE DISTRIBUTED COMPUTATION IN CRYPTOGRAP HTC APPLICATIONS 

5 Field of the Invention 

The invention relates generally to cryptographic techniques which may be implemented in 
computer networks or other types of information processing systems, and more particularly to 
techniques for performing computations such as exponentiation in a secure distributed manner within 
such systems. 

10 

Background of the Invention 

Exponentiation is a fundamental operation in many cryptographic applications, including 
multi-party public key encryption, decryption and digital signature protocols. Exponentiation is also 
an expensive operation in terms of the computational resources that it requires. For example, using 

15 standard window-based methods, about 200 modular muhipUcations are typically required per 
exponentiation for exponent sizes of around 160 bits. There are a number of known techniques that 
attempt to improve the computational efficiency of exponentiation. However, such techniques have 
generally only been successful in providing an improvement for so-called large batches of 
computations, which typically include many thousands of similar computations. More specifically, 

20 amortization techniques such as those described in J. Bos and M. Coster, "Addition Chain 
Heuristics," Proceedings of CRYPTO '98, pp. 400-407, which is incorporated by reference herein, 
are particularly efficient for performing exponentiation in large batches. 

Unfortunately, these and other techniques have been unable to provide significant 
improvements over the above-noted window-based methods for small batches of computations. 

25 These small batches of computations are typically associated with cryptographic applications 
involving smart cards and other devices having limited computational and memory resources. 

It is also known in the art to utiUze distributed servers to assist in performing cryptography- 
related computations. Examples of such techniques are described in M. Abadi, J. Feigenbaum and 
J. KiUan, "On Hiding Information From an Oracle," Journal of Computer and System Sciences, Vol. 

30 39, No. 1, pp. 21-50, August 1989, and M. Ballare, J.A. Garay and T. Rabin, "Fast Batch 



Jakobsson 44-6 

Verification for Modular Exponentiation and Digital Signatures," Proceedings of EUROCRYPT '98, 
pp. 236-250, both of which are incorporated by reference herein. 

Other known techniques are described in V, Boyko, M. Peinado and R. Venkatesan, 
"Speeding up Discrete Log and Factoring Based Schemes via Precomputations," Proceedings of 
5 EUROCRYPT '98, pp. 22 1-235, which is incorporated by reference herein. 

The above-noted conventional techniques exhibit significant drawbacks. For example, those 
described in the above-cited V. Boyko et al. reference generally require that the input exponents for 
which computation is to be performed exhibit a particular near-random distribution. These 
techniques are therefore not appropriate for computations involving arbitrary input values. 
10 It is apparent jfrom the foregoing that a need exists in the art for techniques for performing 

exponentiation and other computational tasks utilizing arbitrary input values and in a manner that 
can provide improvements over conventional techniques for both small batches and large batches 
of computations. 

15 Summary of the Invention 

The present invention provides methods and apparatus for secure distributed performance 
of exponentiation or other computational tasks in cryptographic appUcations. 

In accordance with one aspect of the invention, an exponentiation operation or other 
computational task associated with a cryptographic protocol is performed in a secure distributed 

20 manner using multiple machines, e.g., a cUent device and multiple servers of a computer network. 
The computational task is transformed by an originator machine before being sent to one or more 
extemal servers for execution. The transformation may include replication and dependency 
operations to provide robustness to errors in the computations performed by the extemal servers, and 
blinding and permutation operations to provide privacy for secret information associated with the 

25 computational task. The transformed computational task is executed by the one or more extemal 
servers, and the results of the transformed computational task are transmitted back to the originator 
machine. The originator machine transforms the results of the transformed computational task in 
a manner which permits verification that the one or more resuhs are appropriate results for a given 
input. 
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Advantageously, the present invention can operate with arbitrary inputs, and thus avoids the 
problems associated with conventional techniques that require inputs having a particular near- 
random distribution. In addition, the invention provides a substantial reduction in computational 
complexity for small batches of computations relative to the above-noted window-based methods. 
5 The invention can also provide reductions in computational complexity for large batches of 
computations relative to the above-noted amortization techniques. 



Brief Description of the Drawings 

FIG. 1 shows an illustrative embodiment of an information processing system configured to 
10 provide secure distributed computation in accordance with the invention. 

FIG. 2 is a block diagram of one possible implementation of a given one of the elements of 
the system of FIG. 1. 

FIG. 3 illustrates a secure distributed computation process that is implemented in the system 
of FIG. 1 in accordance with the invention. 
15 FIGS. 4, 5, 6 and 7 illustrate example rephcation, dependency, blinding and permutation 

operations, respectively, of the FIG. 3 process. 

Detailed Description of the Invention 

The present invention will be illustrated below in conjunction with an example information 
20 processing system in which the secure distributed computation techniques of the invention are 
implemented over the Internet or other type of communication network in conjunction with a digital 
signature protocol. It should be understood, however, that the invention is more generally appUcable 
to any type of electronic system or device appUcation in which it is desirable to provide secure 
distributed computation. For example, although particularly well suited for use with computer 
25 communications over the Internet or other computer networks, the invention can also be apphed to 
numerous other information processing apphcations, including applications involving information 
transmission over wireless networks using wireless devices such as mobile telephones or personal 
digital assistants (PDAs), and involving other types of chent devices such as smart cards and smart 
card readers. 
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FIG. 1 shows an exemplary system 100 in which the secure distributed computation 
techniques of the invention are implemented. The system 100 includes an originator 102 which 
communicates with a set of servers 104 over a network 106. More particularly, the system 100 as 
shown includes a set of N servers 104-1, 104-2, . . . 104-N, each coupled to the network 106. As will 

5 be described in greater detail below in conjunction with FIG. 3, the originator 102 performs 
computational task transformation and corresponding results transformation operations of a secure 
distributed computation process of the present invention. The originator 102 may be viewed in this 
embodiment as a chent device, or alternatively as another server coupled to the network 106. 

The set of servers 104 may be viewed as a set of "untmsted" external servers that perform 

1 0 computational tasks at the request of the originator 1 02. These servers are untrusted in that they are 
assumed to be accessible to an adversary that may attempt to perform attacks on the security of the 
computations, e.g., may attempt to obtain a secret key of the originator used in a digital signature 
protocol or otherwise attempt to obtain unauthorized access to information, or may attempt to 
corrupt the computations performed by the servers in a manner that is not detectable by the 

1 5 originator. The servers 104 are considered extemal relative to originator 102 in that they represent 
computational resources not directly available within the originator 102. The resources of the 
originator 102 are considered local resources in this embodiment. 

Each of the elements 102 and 104 is more generally referred to herein as a "machine." It 
should be understood that the term "machine" as used herein is intended to include any type of 

20 processing system or device capable of performing at least a portion of a secure distributed 
computation process in accordance with the invention. 

Element 102 if implemented as a client device may be one or more desktop or portable 
personal computers, mobile telephones, PDAs, television set-top boxes or any other types of devices 
capable of transmitting or receiving information over network 106. 

25 The term "computer" as used herein is intended to be construed generally so as to include 

any of the above-noted client devices, any of the servers, or combinations of one or more of the 
chent devices and one or more of the servers. 

The network 106 may be a local area network, a metropolitan area network, a wide area 
network, a global data communications network such as the Internet, a private "intranet" network. 
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an "ad-hoc" network or any other suitable data communication medium, as well as portions or 
combinations of such networks or other communication media. 

It should be understood that although particular arrangements of originator 102 and servers 
104 are shown in the FIG. 1 embodiment, the mvention is more generally applicable to any number, 

5 type and arrangement of different client devices and servers. 

FIG. 2 shows one possible implementation of a given one of the originator 1 02 or servers 1 04 
of system 100. The implementation in FIG. 2 may thus represent one or more of the elements 102 
and 104, as well as portions of these elements. This implementation includes a processor 200, an 
electronic memory 220, a disk-based memory 240, and a network interface 260, all of which 

1 0 communicate over a bus 270. One or more of the processing elements of system 100 may thus be 
implemented as a personal computer, a mainframe computer, a computer workstation, a smart card 
in conjunction with a card reader, or any other type of digital data processor as well as various 
portions or combinations thereof The processor 200 may represent a microprocessor, a central 
processing unit, a digital signal processor, an apphcation-specific integrated circuit (ASIC), or other 

1 5 suitable processing circuitry. It should be emphasized that the implementation shown in FIG. 2 is 
simplified for clarity of illustration, and may include additional elements not shovm in the figure. 
In addition, other arrangements of processing elements may be used to implement one or more of 
the elements of the system 100. 

The elements 1 02 and 1 04 of system 1 00 execute software programs in accordance with the 

20 invention in order to provide secure distributed computation in a manner to be described in detail 
below. The invention may be embodied in whole or in part in one or more software programs stored 
in one or more of the element memories, or in one or more programs stored on other machine- 
readable media associated with one or more of the elements of the system 100. 

FIG. 3 illustrates an embodiment of a secure distributed computation process that is 

25 implemented in the system 100 of FIG. 1 in accordance with the present invention. The figure is 
divided by a vertical dashed Une into operations performed by the originator 102 and operations 
performed by the servers 104. The process includes task transformation 300, computation 
performance 302 and result transformation 304. The task transformation 300 and result 
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transformation 304 are carried out by the originator 102 in this embodiment, while the computation 
performance 302 is carried out by the servers 104. 

In task transformation 300, the origmator 1 02 receives an original computational task as input 
and performs a repUcation operation 3 1 0, a dependency operation 3 1 2, a blinding operation 3 14 and 
5 a random permutation operation 316 as shown. Examples of the operations 310, 312, 314 and 316 
suitable for a digital signature protocol will be described in greater detail below in conjunction with 
FIGS. 4, 5, 6 and 7, respectively. These operations are configured such that the servers 104 are 
unable to derive secret information from or otherwise undermine the computations to the detriment 
of the originator 102. 

1 0 The resulting transformed task is delivered over network 1 06 to one or more of the servers 

104, which perform the computation as indicated at 302. One or more results of the computation 
are delivered from the server or servers via network 106 back to the originator 102, which then 
performs the result transformation 304. 

In the result transformation 304, the originator processes the result(s) of the transformed task 

1 5 using invert permutation and invert blinding operation 320, followed by a verification operation 322. 
Examples of these operations for the digital signature protocol will also be described in greater detail 
below. The output of the result transformation 304 represents the results of the original input 
computational task. 

The invention will now be illustrated in greater detail using a particular type of computational 
20 task associated with the generation of digital signatures in accordance with the Digital Signature 
Algorithm (DSA), described in National Institute of Standards and Technology (NIST), "FIPS 
Publication 186-1: Digital Signature Standard," December 15, 1998, which is incorporated by 
reference herein. It should be understood, however, that the use of DSA signature generation to 
illustrate the invention is by way of example only. Those skilled in the art will recognize that the 
25 techniques of the invention are more generally applicable to a wide variety of other types of 
cryptographic computations. 

The above-noted DSA signature generation is characterized by a large amount of 
exponentiation. More particularly, one of the computational tasks associated with DSA signature 
generation is to compute r = g* mod p, where g denotes a generator, A; is a secret key e Z^, and p and 
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q are primes such that j7 = +1, and where \p\ = 1024, \q\ = 160. In accordance with the invention, 
this computational task is transformed by the originator 1 02, the transformed task is then sent to the 
external servers 104 for computation, and finally the results sent back to the originator by the 
external servers are transformed by the originator to obtain the desired results of the original task. 
5 The originator 1 02 in this example is also referred to as the "signer" of the digital signature. In the 
description below relating to performance of this computational task for DSA digital signatures, all 
operations are assumed to be performed modulo p, where applicable, unless otherwise noted. 

The following is a general description of the task transformation techniques utilized in the 
illustrative embodiment of FIG. 3 to ensure that the above-noted example computational task can 
10 be performed in a secure manner by the set of untrasted external servers 104 in system 100. This 
general description will be followed by a description of more specific implementations for large 
batches and small batches, 

1 . RepHcation (Operation 3 1 0 in FIG. 3), Instead of delegating a given computational task 
one time to the external servers, the task is delegated x times instead of only once. Since each task 

15 is delegated x times, both local and external costs increase by a factor x, not including minor 
amortization gains. 

2. Dependency (Operation 312 in FIG. 3). Including dependencies in the transformed 
computations performed by the external servers leads to error propagation, which reduces the success 
probabihty of attacks in which an adversary provides incorrect results. Dependency when used in 

20 combination with replication allows detection of errors and maUcious resuhs. Dependencies can be 
implemented by "linking" tasks to one another, e.g., making one result depend on two or more other 
resuhs, which may in turn depend on others. By way of example, dependencies can be introduced 
by transforming a computational task involving the exponents . . . , A:„ to a task involving the 

exponents k[,...,kl , where 
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where a, ^ e {-1, 0, 1}. Depending on the values of a and different levels of error propagation 
can be achieved. While error propagation is very useful for detecting forgery, it also requires 
recomputation of many exponentiations. For efficiency reasons, dependency is preferably utilized 
in conjunction with other mechanisms as in the FIG. 3 embodiment. It should be emphasized that, 
as noted above, more than two resuhs may be Unked together in a given dependency. A generalized 
formula for this type of dependency is as follows: 



where (3^ and are in Z^. 

As another example, the dependencies can be introduced on blocks of size b < n where b - 
b' =n, as follows: 



for 1 < / < b\ 

Dependency and replication represent examples of error detection and correction techniques 
that may be utihzed in conjunction with the invention. Other examples of such techniques include 
checksums and insertion of known values. Such techniques are more generally referred to herein 
as "error-related operations," since these techniques when utihzed permit detection and/or correction 
of errors in computations performed by the external servers. 

Checksums are values that depend on subsets of other values, and which are checked by 
multiplying the other values together and comparing to the corresponding checksum values. It is 
generally an expensive operation to verify the checksums, requiring roughly one multipUcation per 
item selected for the checksum. However, checksums can be used as a recovery method to locate 
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good sections of a corrupted set of computed values, and are therefore beneficial given the negligible 
precomputation costs of the operation. 

With regard to known values, the originator may insert into a batch of computations to be 
delegated a number w of simple tasks having known results. For example, x = 0, resuhing in = 
5 1 . Such simple computational tasks cannot be distinguished fi-om other tasks once they are blinded. 
This allows the detection of so-called offset attacks, in which the adversary correctly computes all 
tasks, and then offsets all of the repHes using the same multiplicative offset. Both the additional 
local and external costs associated with insertion of known values are negligible. 

These and other error detection and correction techniques may be used in conjunction with 
10 or in place of replication and dependency a given embodiment of the invention. 

3. Blinding (Operation 314 in FIG. 3). Blinding can be implemented by applying a random 
and secret offset to each exponentiation in a given batch of computations. The offsets may be 
selected in a particular manner in order to keep the costs of the operation down, as will be described 
in more detail below. The additional local cost incurred by blinding includes a fu:st cost associated 
1 5 with applying the offsets to the exponents, and a second cost associated with removing the resulting 
offsets fi-om the results returned by the external servers. The blinding does not affect the amount of 
computation to be performed by the external servers. 

The blmding for the exponent vector {k^, ...,k„) may be implemented by first choosing e 

random numbers r„ . . . 6 {0, . . . , ^ } . Then, for each exponent kj with l<j^n,d elements 
20 are chosen and the new exponents are computed as 

e 

k'j = kj-Y,!,./, ^odq 

where y,^ e {0, 1} and ^^^J ij = d . 

It is important not to select two equal sets of blinding values for combination, since the 
25 resulting bUnded elements could be canceled by random guessing and thereby leak the secret key. 
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Instead, one may select the blinding values by enumeration over all sets with a particular minimum 
Hamming distance, where the Hamming distance of two sets Si, S2 is defined as the number of 
elements of(Si u S^)/ (S^ n ^2)- The Hamming distance in turn determines how many portions have 
to be combined by the adversary in order to cancel blinding elements. The sets of blinding elements 

5 form a so-called constant weight code with length n and weight d. Additional details regarding such 
codes are described in, e.g., J.H. Conway et al., "Sphere Packings, Lattices and Groups," Springer, 
1993, and E.M. Rains et al., "Table of Constant Weight Binary Codes," 
http://www.research.att.com/~njas/codes/Andw/, 2000, which are incorporated by reference herein. 
Computing the actual signatures corresponding to the exponents ki,...,k„ requires the computation 

10 of 

5:f=iY,./, modq 

o 

for] <j<n by the signer. Using standard methods, g'' for 1 < ? < e can be computed with = 200 
15 multipUcations and the precomputation of all possible pairs g'"'^''^™"''^ with I ^i<j <e requires 
< multiplications. Thus, the additional costs for the signer computing the original signature 
amount to 
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4. Permutation (Operation 316 of FIG. 3). The order of computational tasks sent to the 
external servers can be randomly permuted within a given batch of tasks. Permutation is helpful as 
it forces the adversary to guess what exponentiations correspond to what digital signature. The costs 



10 



Jakobsson 44-6 

incurred by the originator to perform this operation are insignificant. The permutation does not 
affect the amount of computation to be performed by the external servers. 

A more specific implementation particularly well suited for us with large batches of 
computations will now be described with reference to FIGS. 4, 5, 6 and 7. Such large batches are 
5 typical in Intemet-based implementations of the system 1 00 of FIG. 1 . 

Assume for this example implementation that the input to the task transformation 3 00 of FIG. 
3 comprises a vector ((g, k,), . . . , (g, K)) corresponding to an implicit request to compute 
(^*' , . . . , g*" ) • This input is denoted herein by a vector G,={K..., K) and represents an original 

computational task for the DSA digital signature protocol. The signer (originator 102) transforms 
10 the original computational task using repUcation operation 310, dependency operation 312, 

blinding operation 314 and permutation operation 316 of FIG. 3. 

FIG. 4 illustrates the repHcation operation 3 1 0 in greater detail. In this operation, the vector 

Gi is first extended by repUcating the last element thereof, i.e., k„+i = k„. Then, the resulting 

extended vector is repeated three times as shown. More specifically, the original vector Gj = (k^, . 
15 . - , is transformed into a new vector 

G2 = (^1, ..-K, k„^i, ki, ....... ,k„, k^,..., k„, k^i). 

FIG. 5 illustrates the dependency operation 312 in greater detail. In this operation, 
20 dependency is introduced by transforming the third part of the vector G2 yielding 

where K, = (Gj), for 1 < / ^ 2n + 2 and for 2n + 3 < z < 3m + 3 the K, are inductively defined as 

25 
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10 



: z = 2n + 3 
- - mod q : 2n-^ 3< i< 3n + 2 



It should be noted that these dependencies can also be interpreted as checksums, and so there is no 
need to introduce additional checksums. 

FIG. 6 illustrates the blinding operation 314 in greater detail. In this operation, e random 

5 numbers r^, . . . , e {0, . . . , }are picked. Then, for each element of the vector G^, 4 elements 

PuG3}i^ . . . , (G3)z selectcd from R = {r^, . , , in the manner previously described and a new 
vector 



G4 (Kj, , . . , Kg^+j) 



is computed as = (G^\ - X P ^ (G3) g for 1 < z < 3w + 3. 

FIG. 7 illustrates the random permutation operation 3 16 in greater detail. In this operation, 
a permutation 77 on the vector G4 is selected uniformly at random, resulting in a new vector 

15 G,=n(G,). 

The vector G5 may be broken up into blocks of appropriate size, and communicated to the external 
servers. It should be noted that the generator value g need only be communicated once. In this 
embodiment, if a vector (A^, . . . ,Aj) is sent to a given computing server in the set of servers 104, 

20 the latter is expected to compute and return the vector {g^^ . - . - . g""^* ) . 

The result transformation 304 in this implementation is performed as follows. It is assumed 
that the input to result transformation 304 is a vector G^ whose elements comprise the values 

12 



10 



15 



Jakobsson 44-6 

returned by the external servers, arranged in the order in which the corresponding computation 
requests were sent to the external servers, so that a reply to a given portion of a request is entered 
in the same position from which that portion was taken. As noted previously, resuh transformation 
304 includes invert operation 320 and verification operation 322. 

Operation 320 of resuh transformation 304 performs inverse permutation and inverse 
bhnding operations. In the inverse permutation operation, the signer constructs a new vector by 
applying an inverse of the permutation apphed in step 316 of the task transformation 300. This 
results in the vector 



In the inverse bhnding operation, for each 1 < z < 3« + 3, the signer computes 



(G7),+I'^,P,,(G,),m0d^ 



g 



thus resulting in a vector Gg. This computation may be performed using well-known conventional 
methods for addition chains. 

Verification operation 322 verifies the dependencies introduced in operation 312 and the 
repUcation mtroduced in operation 310. More particularly, operation 322 determmes if (Gg)„+2 = 
20 iG,)„ = (C?s)„.i, (Gs)2„.i = (G,)2..2 and iG,\„,, = (G,),„,s, as well as whether for I < i <n 

(.G^X+H, = (Gs),- 

In addition, for 2 ^ z < « operation 322 checks inductively whether 

25 

(Gg)2„+2+: ■ (Gs)2„+i+l ' iG^)i-\ " iGs)i- 



13 



Jakob sson 44-6 

If so, the (Gg), with 1 < / ^ n are the correct results of the delegated computations. Otherwise, if 1 
<j <nis the index where the check fails, then the computations of (Gg); with 1 < i <j are correct. 
The values (Gg),- with i<j <n are compared with (Gg)„+,+i. If equality holds, these values are 
assumed to be correct. Otherwise, recomputation will be necessary as in the case of (Gg)^. 

5 Advantageously, the above-described secure distributed computation process is private, in 

that it does not leak secret information, and robust, in that it does not allow incorrect computation 
to go undetected. Moreover, it is efficient, in that it reduces the amoimt of local computation to be 
performed given some assumptions on the probability that a computational portion is correctly 
performed when delegated. These advantages of privacy, robustness and efficiency can be more 

1 0 formally defined as follows. 

Let rbe a computational task, and/an arbitrary function. It can said that the delegation of 
ris e-private with respect to /if the adversary has only a neghgible advantage e in computing/z) 
for some input / if performing the delegated computation and seeing the public input and output of 
the originator, compared to a setting where the adversary only sees the public input and output of 

1 5 the originator. In the context of the above-described distributed computations for digital signatures, 
the primary concern with regard to privacy is privacy of the exponent values for the signatures, 
which indirectly corresponds to the privacy of the secret signing key. 

It can be shown that if one selects at least e = 75 blinding factors, then the above-described 
secure distributed computation process is 2'^°-private for input sizes larger than 1 00,000 and smaller 



20 than ' ^ 





r75^ 
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The robustness of the process deals with a different kind of attack, namely an adversary 
trying to corrupt the computations. It can be said that a delegation of Tis e-robust if an adversary 
who controls all the external servers performing computation for the signer cannot corrupt the 
computation but for a probabihty e over all random strings of the signer and all computational tasks 
25 T. 
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It can be shown that, for an input size n, the secure distributed computation process is 



5 



-robust against an adversary who controls all the external servers, for large batch sizes. 



Thus, for input sizes larger than 47,000 elements, an adversary has less than a probability 2" to 
corrupt the computation without detection. It can also be shown that it is necessary for an adversary 

5 to select a "coherent set" of at least six elements among the existing 3«+3 elements. Given a random 
distribution of the elements, the adversary can only succeed if the five last elements chosen are 
"coherent with" the first elements chosen, which gives the claimed probability of success. 

With regard to efficiency, the primary concern is the amount of computation performed by 
the signer, i.e., local computations, and not with the amount of computation performed by the 

1 0 external servers. It can be said that a delegation of a computational task T is (e, v)-efficient if the 
computational load associated with the signer performing the computation J is a fraction e of that 
required by the signer if outsourcing Tto the external servers. This is relative to a certain fraction 
V of incorrect responses that are scheduled by the adversary, and where the probabihty is over all 
random strings of the signer. 

15 It can be shown that the secure distributed computation process is approximately [ ^ .o] - 

efficient for batches of approximately 100,000 signatures, with an actual cost per signature of 8 
multipHcations. This corresponds to a local efficiency improvement of 20%, compared to 
conventional addition chain methods. 

The secure distributed computation process described in conjunction with reference to FIGS . 
20 4, 5, 6 and 7 can be modified in a straightforward manner to accommodate small batches of 
signatures. Such small batches are typical in smart card based implementations of the system 100 
of FIG. 1. In one such implementation, the originator 102 is a computer, PDA, wireless telephone 
or other device equipped with a card reader able to read a smart card, with information on the smart 
card used to generate digital signatures or to support other cryptographic applications. 
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In a small-batch smart card implementation of the process, an initial exponentiation can be 
performed as part of a manufacturing or initialization process of the smart card, such that pairs 

(r. , g^' ^ are stored in a memory of the card. All pairs are not precomputed due to memory capacity 



constraints. While in such an implementation, the original vector has to be replicated seven times 
5 in order to obtain a robustness level corresponding to a probability of failure of 2'^^ for a batch size 
of 20, the dependency is introduced as in the large-batch implementation previously described. In 
order to achieve a privacy level of 2'^*^, a cumulative batch size should be at least about 80,000. The 
cimiulative batch size corresponds to the number of signatures that can be generated by the smart 

card without "recharging." Therefore, it is sufficient to use 75 blniding factors, since [ > soooo- 9 , 



10 where 9 is the effect of rephcation and dependencies. The local cost per signature in this 
implementation is only 3 8 multiplications per signature, which is a substantial improvement relative 
to the approximately 200 multipHcations that are needed for such small batches using conventional 
window-based methods. Thus, a small-batch implementation of the process illustrated in 



conjunction with FIGS. 4, 5, 6 and 7 is 1 T^^O -efficient, which corresponds to a 81% 



1 5 improvement over the conventional techniques. 

As noted previously, the secure distributed computation process as described in conjunction 
with FIGS. 4, 5, 6 and 7 has a high degree of robustness. However, in appUcations in which 
robustness is not critical, e.g., in which a third party is employed to verify the signatures, the process 
can be altered to substantially reduce the costs. Similarly, if the distributed computation process is 

20 used for decryption instead of signature generation, redundancy checks of the resulting plaintexts 
can be used to obtain robustness at reduced costs. 

It is also possible to fiirther reduce the computational costs of the process by eliminating one 
or more operations such as the replication operation 310 or the dependency operation 312, with 
corresponding modification of the result transformation 304. It should be noted that these 

25 modifications do not alter the degree of privacy, but only the robustness. 
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It should be understood that the above-described embodiments of the invention are 
illustrative only. For example, the invention can be applied to any type of digital signature protocol 
and to numerous other cryptographic applications involving exponentiation or other computations 
suitable for delegation. These and numerous other alternative embodiments within the scope of the 
following claims will be apparent to those skilled in the art. 
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